How to detect MFA bypass attempts on your VPN.
Attackers try to bypass MFA via push bombing, MFA fatigue, OAuth grant abuse or legacy protocol abuse. Login event logging is your only real friend.
Try this first
- 1Log all authentication events with geo, user agent and success/failure.
- 2Alarm on more than 3 failed MFA prompts in 5 minutes for the same user (push fatigue).
- 3Block legacy auth (basic auth) on Microsoft 365, by far the most abused VPN bypass.
- 4Geo impossible travel: login from NL then Brazil 10 min later = auto revoke.
When to bring us in
You have no SIEM and login events are not retained: at minimum enable Microsoft Sentinel or Defender XDR for 90 days, otherwise you cannot even reconstruct a breach.
See also
- VPN will not connect or keeps droppingTwo main causes: your home internet or the VPN server. One quick test separates them.
- VPN connects but corporate folders are unreachableConnection says "green" but your network drives will not open. Almost always a DNS or routing issue.
- Home PC slow on VPN, fast at the officeThree suspects: home internet, VPN server limits, or routing that takes a long detour.
None of the above fits?
Describe your situation below. We pass your input plus the steps you already saw to our AI and return tailored next-step advice. If it's too risky to DIY, we'll say so.
Or skip the DIY entirely
Our Managed IT clients do not look these things up. One point of contact, a fixed monthly price, resolved within working hours.